devise_cas_authenticatable 1.10.4 → 2.0.0.alpha1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0e52720581da9cbfecdabb24df82f099b140b5c282885dd0aa3a1fbef559fcb1
-  data.tar.gz: bb55162fe23ae48432b59140811fadd15e24918f0aa2647bcbd51d2094a210e2
+  metadata.gz: 52bd61c5ca7ea5f32d066698a57700fdcbd2cb3e6abc66dd59b338667639f29c
+  data.tar.gz: 9b3d4e96f44399d3e33dc09fea6bb236dc4af323b311c7d9a891e49e367adc41
 SHA512:
-  metadata.gz: 8d3c2e442a37315c935dd021b5f05a6e38a8e3112b2b8f7e8d0e11c31db3622ae10785d377ec9942e43c4d12b8a94b7faea9e863759a53dc5543fb4d4e7e6584
-  data.tar.gz: 84dd388a716bc5f31f3f0fd263b550a85a39ba183e46b67492923871981b30c1ab77a96e326f9592383d416e6b4195a44e9cdd65819797ca6c37407cd487ded1
+  metadata.gz: af34a5f2a67bc1649571ec302870892b258224e9908e04b2e3c17827033dff3fecb1fe45b833501beed7a81c98370136bc11f46113dfd2ee26036e62439de1a6
+  data.tar.gz: e90b704aa8832f25c1b60c109954dc5a5d424374845ed6469796b74c22cbb25a480913e8c66b560e4bcffa8411018a49df215c0cfd5f345aa79236c42ea257ff

data/.github/workflows/ruby.yml

@@ -0,0 +1,32 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# This workflow will download a prebuilt Ruby version, install dependencies and run tests with Rake
+# For more information see: https://github.com/marketplace/actions/setup-ruby-jruby-and-truffleruby
+
+name: Ruby
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  test:
+
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby-version: ['2.6', '2.7', '3.0']
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+    - name: Run tests
+      run: bundle exec rake spec

data/.gitignore

@@ -7,4 +7,3 @@ spec/scenario/tmp/*
 log/*
 db/*
 Gemfile.*lock
-Gemfile

data/CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog for devise\_cas\_authenticatable
 
+## Version 2.0.0.alpha1 - TBD
+
+* Switch from RubyCAS-client, which is deprecated, to rack-cas
+* Remove Devise.cas_client and cas_client_config_options as a result of this change
+
 ## Version 1.10.4 - April 26, 2019
 
 * Fixes for single sign out on Redis session store using newer Redis gems (thanks @ledestin!)

data/Gemfile

@@ -0,0 +1,8 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in devise_cas_authenticatable.gemspec
+gemspec
+
+gem 'devise', '~> 4.8.0'
+gem 'rails', '~> 6.0.0'
+gem 'sqlite3', '~> 1.4'

data/README.md

@@ -6,16 +6,31 @@ Taking a lot of inspiration from [devise_ldap_authenticatable](http://github.com
 
 devise_cas_authenticatable is [CAS](http://www.jasig.org/cas) single sign-on support for
 [Devise](http://github.com/plataformatec/devise) applications.  It acts as a replacement for
-database_authenticatable.  It builds on [rubycas-client](https://github.com/rubycas/rubycas-client)
+database_authenticatable.  It builds on [rack-cas](https://github.com/biola/rack-cas)
 and should support just about any conformant CAS server (although I have personally tested it
 using [rubycas-server](http://github.com/gunark/rubycas-server)).
 
 Requirements
 ------------
 
-- Rails 3.0 or greater (works with 4.x versions as well)
-- Devise 1.2 or greater
-- rubycas-client
+- Rails 5.0 or greater
+- Devise 4.0 or greater
+
+devise_cas_authenticatable version 2 is a major rewrite
+-------------------------------------------------------
+
+devise_cas_authenticatable version 1 was based on
+[rubycas-client](https://github.com/rubycas/rubycas-client).  Now that rubycas-client is deprecated,
+devise_cas_authenticatable version 2 is based on [rack-cas](https://github.com/biola/rack-cas).
+
+In order to upgrade, you'll need to:
+
+* Make sure you're on a supported version of Devise (4.0 or above) and a supported version of Rails
+  (5.0 or above)
+* Add the rack-cas configuration to your application.rb (see below)
+* Remove the cas_base_url, cas_login_url, cas_logout_url, cas_validate_url, and
+  cas_client_config_options from your devise.rb initializer, if present
+* If using single sign out: [set up rack-cas's built-in single sign out support](https://github.com/biola/rack-cas#single-logout)
 
 Installation
 ------------
@@ -30,86 +45,71 @@ Setup
 
 Once devise\_cas\_authenticatable is installed, add the following to your user model:
 
-    devise :cas_authenticatable
+```ruby
+devise :cas_authenticatable
+```
 
 You can also add other modules such as token_authenticatable, trackable, etc.  Please do not
 add database_authenticatable as this module is intended to replace it.
 
 You'll also need to set up the database schema for this:
 
-    create_table :users do |t|
-      t.string :username, :null => false
-    end
+```ruby
+create_table :users do |t|
+  t.string :username, :null => false
+end
+```
 
 We also recommend putting a unique index on the `username` column:
 
-    add_index :users, :username, :unique => true
+```ruby
+add_index :users, :username, :unique => true
+```
 
 (Note: previously, devise\_cas\_authenticatable recommended using a `t.cas_authenticatable` method call to update the
 schema.  Devise 2.0 has deprecated this type of schema building method, so we now recommend just adding the `username`
 string column as above.  As of this writing, `t.cas_authenticatable` still works, but throws a deprecation warning in
 Devise 2.0.)
 
-Finally, you'll need to add some configuration to your config/initializers/devise.rb in order
-to tell your app how to talk to your CAS server:
-
-    Devise.setup do |config|
-      ...
-      config.cas_base_url = "https://cas.myorganization.com"
-
-      # you can override these if you need to, but cas_base_url is usually enough
-      # config.cas_login_url = "https://cas.myorganization.com/login"
-      # config.cas_logout_url = "https://cas.myorganization.com/logout"
-      # config.cas_validate_url = "https://cas.myorganization.com/serviceValidate"
-
-      # The CAS specification allows for the passing of a follow URL to be displayed when
-      # a user logs out on the CAS server. RubyCAS-Server also supports redirecting to a
-      # URL via the destination param. Set either of these urls and specify either nil,
-      # 'destination' or 'follow' as the logout_url_param. If the urls are blank but
-      # logout_url_param is set, a default will be detected for the service.
-      # config.cas_destination_url = 'https://cas.myorganization.com'
-      # config.cas_follow_url = 'https://cas.myorganization.com'
-      # config.cas_logout_url_param = nil
-
-      # You can specify the name of the destination argument with the following option.
-      # e.g. the following option will change it from 'destination' to 'url'
-      # config.cas_destination_logout_param_name = 'url'
-      
-      # By default, devise_cas_authenticatable will create users.  If you would rather
-      # require user records to already exist locally before they can authenticate via
-      # CAS, uncomment the following line.
-      # config.cas_create_user = false
-
-      # You can enable Single Sign Out, which by default is disabled.
-      # config.cas_enable_single_sign_out = true
-      
-      # If you don't want to use the username returned from your CAS server as the unique
-      # identifier, but some other field passed in cas_extra_attributes, you can specify
-      # the field name here.
-      # config.cas_user_identifier = nil
-
-      # If you want to use the Devise Timeoutable module with single sign out,
-      # uncommenting this will redirect timeouts to the logout url, so that the CAS can
-      # take care of signing out the other serviced applocations. Note that each
-      # application manages timeouts independently, so one application timing out will
-      # kill the session on all applications serviced by the CAS.
-      # config.warden do |manager|
-      #   manager.failure_app = DeviseCasAuthenticatable::SingleSignOut::WardenFailureApp
-      # end
-      
-      # You can also set another single sign out strategy so that you won't be attached to rails_cache.
-      # Be aware that to do so you also need to set the session_store.
-      # Example for setting redis_cache.
-      # There are some gems the help with it. One of them is called redis-rails and it can easily be set like this:
-      # Rails.application.config.session_store :redis_store, servers: ["redis://localhost:6379/0/session"]
-      # This is specially useful when you need to share session id accross apps (i.e. in a distributed environment)
-      # config.cas_single_sign_out_mapping_strategy = :redis_cache
-
-      # If you need to specify some extra configs for rubycas-client, you can do this via:
-      # config.cas_client_config_options = {
-      #     logger: Rails.logger
-      # }
-    end
+You'll need to configure rack-cas so that it knows where your CAS server is.  See the
+[rack-cas README](https://github.com/biola/rack-cas) for full instructions, but here is the
+bare minimum:
+
+```ruby
+config.rack_cas.server_url = "https://cas.myorganization.com" # replace with your server URL
+config.rack_cas.service = "/users/service" # If your user model isn't called User, change this
+```
+
+Finally, you may need to add some configuration to your config/initializers/devise.rb in order
+to tell your app how to talk to your CAS server.  This isn't always required.  Here's an example:
+
+```ruby
+Devise.setup do |config|
+  ...
+  # The CAS specification allows for the passing of a follow URL to be displayed when
+  # a user logs out on the CAS server. RubyCAS-Server also supports redirecting to a
+  # URL via the destination param. Set either of these urls and specify either nil,
+  # 'destination' or 'follow' as the logout_url_param. If the urls are blank but
+  # logout_url_param is set, a default will be detected for the service.
+  # config.cas_destination_url = 'https://cas.myorganization.com'
+  # config.cas_follow_url = 'https://cas.myorganization.com'
+  # config.cas_logout_url_param = nil
+
+  # You can specify the name of the destination argument with the following option.
+  # e.g. the following option will change it from 'destination' to 'url'
+  # config.cas_destination_logout_param_name = 'url'
+
+  # By default, devise_cas_authenticatable will create users.  If you would rather
+  # require user records to already exist locally before they can authenticate via
+  # CAS, uncomment the following line.
+  # config.cas_create_user = false
+
+  # If you don't want to use the username returned from your CAS server as the unique
+  # identifier, but some other field passed in cas_extra_attributes, you can specify
+  # the field name here.
+  # config.cas_user_identifier = nil
+end
+```
 
 Extra attributes
 ----------------
@@ -118,35 +118,31 @@ If your CAS server passes along extra attributes you'd like to save in your user
 using the CAS extra_attributes parameter, you can define a method in your user model called
 cas_extra_attributes= to accept these.  For example:
 
-    class User < ActiveRecord::Base
-      devise :cas_authenticatable
-
-      def cas_extra_attributes=(extra_attributes)
-        extra_attributes.each do |name, value|
-          case name.to_sym
-          when :fullname
-            self.fullname = value
-          when :email
-            self.email = value
-          end
-        end
+```ruby
+class User < ActiveRecord::Base
+  devise :cas_authenticatable
+
+  def cas_extra_attributes=(extra_attributes)
+    extra_attributes.each do |name, value|
+      case name.to_sym
+      when :fullname
+        self.fullname = value
+      when :email
+        self.email = value
       end
     end
+  end
+end
+```
 
 See also
 --------
 
 * [CAS](http://www.jasig.org/cas)
-* [rubycas-server](http://github.com/gunark/rubycas-server)
-* [rubycas-client](http://github.com/gunark/rubycas-client)
+* [rack-cas](https://github.com/biola/rack-cas)
 * [Devise](http://github.com/plataformatec/devise)
 * [Warden](http://github.com/hassox/warden)
 
-TODO
-----
-
-* Test on non-ActiveRecord ORMs
-
 License
 -------
 

data/app/controllers/devise/cas_sessions_controller.rb

@@ -1,33 +1,22 @@
 class Devise::CasSessionsController < Devise::SessionsController
-  include DeviseCasAuthenticatable::SingleSignOut::DestroySession
-
-  if Rails::VERSION::MAJOR < 4
-    unloadable # Rails 5 no longer requires this
-    skip_before_filter :verify_authenticity_token, :only => [:single_sign_out], :raise => false
-  else
-    skip_before_action :verify_authenticity_token, :only => [:single_sign_out], :raise => false
-  end
-
   def new
-    if memcache_checker.session_store_memcache? && !memcache_checker.alive?
-      raise "memcache is down, can't get session data from it"
-    end
-
-    redirect_to(cas_login_url)
+    # TODO: Figure out if there's a less hacky way to do this
+    RackCAS.config.service = cas_service_url
+    head 401
   end
 
   def service
     redirect_to after_sign_in_path_for(warden.authenticate!(:scope => resource_name))
   end
 
-  def unregistered
-  end
+  def unregistered; end
 
   def destroy
     # if :cas_create_user is false a CAS session might be open but not signed_in
     # in such case we destroy the session here
     if signed_in?(resource_name)
       sign_out(resource_name)
+      session.delete('cas')
     else
       reset_session
     end
@@ -35,63 +24,27 @@ class Devise::CasSessionsController < Devise::SessionsController
     redirect_to(cas_logout_url)
   end
 
-  def single_sign_out
-    if ::Devise.cas_enable_single_sign_out
-      session_index = read_session_index
-      if session_index
-        logger.debug "Intercepted single-sign-out request for CAS session #{session_index}."
-        session_id = ::DeviseCasAuthenticatable::SingleSignOut::Strategies.current_strategy.find_session_id_by_index(session_index)
-        if session_id
-          logger.debug "Found Session ID #{session_id} with index key #{session_index}"
-          destroy_cas_session(session_index, session_id)
-        end
-      else
-        logger.warn "Ignoring CAS single-sign-out request as no session index could be parsed from the parameters."
-      end
-    else
-      logger.warn "Ignoring CAS single-sign-out request as feature is not currently enabled."
-    end
-
-    head :ok
-  end
-
   private
 
-  def read_session_index
-    if request.headers['CONTENT_TYPE'] =~ %r{^multipart/}
-      false
-    elsif request.post? && params['logoutRequest'] =~
-        %r{^<samlp:LogoutRequest.*?<samlp:SessionIndex>(.*)</samlp:SessionIndex>}m
-      $~[1]
-    else
-      false
-    end
-  end
-
-  def destroy_cas_session(session_index, session_id)
-    if destroy_session_by_id(session_id)
-      logger.debug "Destroyed session #{session_id} corresponding to service ticket #{session_index}."
-    end
-    ::DeviseCasAuthenticatable::SingleSignOut::Strategies.current_strategy.delete_session_index(session_index)
-  end
-
   def cas_login_url
-    ::Devise.cas_client.add_service_to_login_url(::Devise.cas_service_url(request.url, devise_mapping))
+    RackCAS::Server.new(RackCAS.config.server_url).login_url(cas_service_url).to_s
   end
   helper_method :cas_login_url
 
   def request_url
     return @request_url if @request_url
+
     @request_url = request.protocol.dup
     @request_url << request.host
-    @request_url << ":#{request.port.to_s}" unless request.port == 80
+    @request_url << ":#{request.port}" unless request.port == 80
     @request_url
   end
 
   def cas_destination_url
     return unless ::Devise.cas_logout_url_param == 'destination'
+
     if !::Devise.cas_destination_url.blank?
-      url = Devise.cas_destination_url
+      Devise.cas_destination_url
     else
       url = request_url.dup
       url << after_sign_out_path_for(resource_name)
@@ -100,8 +53,9 @@ class Devise::CasSessionsController < Devise::SessionsController
 
   def cas_follow_url
     return unless ::Devise.cas_logout_url_param == 'follow'
+
     if !::Devise.cas_follow_url.blank?
-      url = Devise.cas_follow_url
+      Devise.cas_follow_url
     else
       url = request_url.dup
       url << after_sign_out_path_for(resource_name)
@@ -113,15 +67,17 @@ class Devise::CasSessionsController < Devise::SessionsController
   end
 
   def cas_logout_url
-    begin
-      ::Devise.cas_client.logout_url(cas_destination_url, cas_follow_url, cas_service_url)
-    rescue ArgumentError
-      # Older rubycas-clients don't accept a service_url
-      ::Devise.cas_client.logout_url(cas_destination_url, cas_follow_url)
+    server = RackCAS::Server.new(RackCAS.config.server_url)
+    destination_url = cas_destination_url
+    follow_url = cas_follow_url
+    service_url = cas_service_url
+
+    if destination_url
+      server.logout_url(destination: destination_url, gateway: 'true').to_s
+    elsif follow_url
+      server.logout_url(url: follow_url, service: service_url).to_s
+    else
+      server.logout_url(service: service_url).to_s
     end
   end
-
-  def memcache_checker
-    @memcache_checker ||= DeviseCasAuthenticatable::MemcacheChecker.new(Rails.configuration)
-  end
 end

data/app/views/devise/cas_sessions/unregistered.html.erb

@@ -1,3 +1,3 @@
-<p>The user <%=h params[:username] %> is not registered with this site.  
-  Please <%= link_to "sign in using a different account", 
-  Devise.cas_client.logout_url(send("new_#{resource_name}_session_url")) %>.</p>
+<p>The user <%=h params[:username] %> is not registered with this site.
+  Please <%= link_to "sign in using a different account",
+  RackCAS::Server.new(RackCAS.config.server_url).logout_url(destination: send("new_#{resource_name}_session_url")).to_s %>.</p>